Sam Feifer
parent
8d4e5fb6e8
commit
8107b4cbab
95
grafana.spec
95
grafana.spec
@ -25,7 +25,7 @@ end}
|
||||
|
||||
Name: grafana
|
||||
Version: 10.2.6
|
||||
Release: 19%{?dist}
|
||||
Release: 18%{?dist}
|
||||
Summary: Metrics dashboard and graph editor
|
||||
License: AGPL-3.0-only
|
||||
URL: https://grafana.org
|
||||
@ -118,7 +118,7 @@ Requires: shared-mime-info
|
||||
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 8
|
||||
# This ensures that the grafana-selinux package and all its dependencies are
|
||||
# not pulled into containers and other systems that do not use SELinux
|
||||
Requires: (grafana-selinux = %{version}-%{release} if selinux-policy-any)
|
||||
Requires: (grafana-selinux = %{version}-%{release} if selinux-policy-targeted)
|
||||
%else
|
||||
Requires: grafana-selinux = %{version}-%{release}
|
||||
%endif
|
||||
@ -740,11 +740,15 @@ Graphite, InfluxDB & OpenTSDB.
|
||||
|
||||
# SELinux package
|
||||
%package selinux
|
||||
Summary: SELinux policy module supporting grafana
|
||||
Requires: selinux-policy-any
|
||||
Requires(post): selinux-policy-any, /usr/sbin/semanage
|
||||
Requires(postun): /usr/sbin/semanage
|
||||
BuildRequires: selinux-policy-devel
|
||||
Summary: SELinux policy module supporting grafana
|
||||
BuildRequires: checkpolicy, selinux-policy-devel, selinux-policy-targeted
|
||||
%if "%{_selinux_policy_version}" != ""
|
||||
Requires: selinux-policy >= %{_selinux_policy_version}
|
||||
%endif
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: selinux-policy-targeted
|
||||
Requires(post): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, grafana
|
||||
Requires(postun): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, /sbin/service, grafana
|
||||
|
||||
%description selinux
|
||||
SELinux policy module supporting grafana
|
||||
@ -759,6 +763,10 @@ rm -r plugins-bundled
|
||||
%setup -q -T -D -b 2
|
||||
%endif
|
||||
|
||||
# SELinux policy
|
||||
mkdir SELinux
|
||||
cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
|
||||
|
||||
%patch -P 1 -p1
|
||||
%patch -P 2 -p1
|
||||
%patch -P 3 -p1
|
||||
@ -801,11 +809,15 @@ for cmd in grafana grafana-cli grafana-server; do
|
||||
done
|
||||
|
||||
# SELinux policy
|
||||
mkdir selinux
|
||||
cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} selinux
|
||||
cd SELinux
|
||||
for selinuxvariant in %{selinux_variants}
|
||||
do
|
||||
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
|
||||
mv grafana.pp grafana.pp.${selinuxvariant}
|
||||
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
|
||||
done
|
||||
cd -
|
||||
|
||||
make -f %{_datadir}/selinux/devel/Makefile grafana.pp
|
||||
bzip2 -9 grafana.pp
|
||||
|
||||
%install
|
||||
# dirs, shared files, public html, webpack
|
||||
@ -870,12 +882,14 @@ echo "d %{_rundir}/%{name} 0755 %{GRAFANA_USER} %{GRAFANA_GROUP} -" \
|
||||
install -p -m 644 -D %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf
|
||||
|
||||
# SELinux policy
|
||||
cd SELinux
|
||||
for selinuxvariant in %{selinux_variants}
|
||||
do
|
||||
install -D -m 0644 grafana.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/${selinuxvariant}/grafana.pp.bz2
|
||||
install -D -p -m 0644 selinux/grafana.if \
|
||||
%{buildroot}%{_datadir}/selinux/devel/include/distributed/grafana.if
|
||||
install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
|
||||
install -p -m 644 grafana.pp.${selinuxvariant} \
|
||||
%{buildroot}%{_datadir}/selinux/${selinuxvariant}/grafana.pp
|
||||
done
|
||||
cd -
|
||||
|
||||
%pre
|
||||
%sysusers_create_compat %{SOURCE3}
|
||||
@ -981,46 +995,39 @@ export GOEXPERIMENT=boringcrypto
|
||||
%doc README.md ROADMAP.md SECURITY.md SUPPORT.md UPGRADING_DEPENDENCIES.md WORKFLOW.md
|
||||
|
||||
# SELinux policy
|
||||
%pre selinux
|
||||
%selinux_relabel_pre
|
||||
|
||||
%post selinux
|
||||
for selinuxvariant in %{selinux_variants}
|
||||
do
|
||||
%selinux_modules_install -s ${selinuxvariant} %{_datadir}/selinux/packages/${selinuxvariant}/grafana.pp.bz2 &>/dev/null
|
||||
/usr/sbin/semanage port -a -t grafana_port_t -p tcp 3000 &> /dev/null || :
|
||||
semodule -X400 -r grafana &>/dev/null || true
|
||||
/usr/sbin/semodule -s ${selinuxvariant} -i \
|
||||
%{_datadir}/selinux/${selinuxvariant}/grafana.pp &> /dev/null || :
|
||||
done
|
||||
%selinux_relabel_post
|
||||
|
||||
if [ "$1" -le "1" ]; then # First install
|
||||
# The daemon needs to be restarted for the custom label to be applied.
|
||||
# This will fail in case "post selinux" is executed before the service file is installed,
|
||||
# but then it is safe to ignore since the service will first start with the proper label
|
||||
%systemd_postun_with_restart grafana.service &> /dev/null || :
|
||||
fi
|
||||
/sbin/restorecon -RvF /usr/sbin/grafana* &> /dev/null || :
|
||||
/sbin/restorecon -RvF /etc/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /var/log/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /var/lib/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || :
|
||||
/usr/sbin/semanage port -a -t grafana_port_t -p tcp 3000 &> /dev/null || :
|
||||
|
||||
%postun selinux
|
||||
for selinuxvariant in %{selinux_variants}
|
||||
do
|
||||
if [ $1 -eq 0 ]; then
|
||||
/usr/sbin/semanage port -d -p tcp 3000 &> /dev/null || :
|
||||
%selinux_modules_uninstall -s ${selinuxvariant} grafana
|
||||
%selinux_relabel_post -s ${selinuxvariant}
|
||||
fi
|
||||
done
|
||||
if [ $1 -eq 0 ] ; then
|
||||
/usr/sbin/semanage port -d -p tcp 3000 &> /dev/null || :
|
||||
for selinuxvariant in %{selinux_variants}
|
||||
do
|
||||
/usr/sbin/semodule -s ${selinuxvariant} -r grafana &> /dev/null || :
|
||||
done
|
||||
/sbin/restorecon -RvF /usr/sbin/grafana* &> /dev/null || :
|
||||
/sbin/restorecon -RvF /etc/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /var/log/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /var/lib/grafana &> /dev/null || :
|
||||
/sbin/restorecon -RvF /usr/libexec/grafana-pcp &> /dev/null || :
|
||||
fi
|
||||
|
||||
%files selinux
|
||||
%{_datadir}/selinux/packages/*/grafana.pp.*
|
||||
%{_datadir}/selinux/devel/include/distributed/grafana.if
|
||||
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/*/active/modules/200/grafana
|
||||
%defattr(-,root,root,0755)
|
||||
%doc SELinux/*
|
||||
%{_datadir}/selinux/*/grafana.pp
|
||||
|
||||
%changelog
|
||||
* Tue May 20 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-19
|
||||
- Resolves RHEL-92648: Added selinux rules for ldap and other observed selinux denials
|
||||
- Reworked the spec file selinux sections
|
||||
- Fixed the priority of the selinux policy
|
||||
|
||||
* Tue May 13 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-18
|
||||
- Resolves RHEL-89943: CVE-2025-4123
|
||||
|
||||
|
||||
43
grafana.te
43
grafana.te
@ -27,6 +27,13 @@ gen_tunable(grafana_can_tcp_connect_elasticsearch_port, false)
|
||||
## </desc>
|
||||
gen_tunable(grafana_can_tcp_connect_mysql_port, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow grafana to connect to postgresql's default tcp port of 5432
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(grafana_can_tcp_connect_postgresql_port, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow grafana to connect to prometheus' default tcp port of 9090
|
||||
@ -34,19 +41,6 @@ gen_tunable(grafana_can_tcp_connect_mysql_port, false)
|
||||
## </desc>
|
||||
gen_tunable(grafana_can_tcp_connect_prometheus_port, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow grafana to connect to postgresql's default tcp port of 5432
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(grafana_can_tcp_connect_postgresql_port, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow grafana to connect to ldap's tcp port
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(grafana_can_tcp_connect_ldap_port, false)
|
||||
|
||||
type grafana_t;
|
||||
type grafana_exec_t;
|
||||
@ -101,9 +95,6 @@ allow grafana_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow grafana_t grafana_port_t:tcp_socket { name_bind name_connect };
|
||||
|
||||
allow grafana_t grafana_var_lib_t:file { execute execute_no_trans };
|
||||
allow grafana_t grafana_var_lib_t:file map;
|
||||
|
||||
allow grafana_t self:unix_stream_socket connectto;
|
||||
|
||||
allow grafana_t self:netlink_route_socket { create bind getattr nlmsg_read };
|
||||
@ -116,14 +107,6 @@ optional_policy(`
|
||||
allow grafana_t smtp_port_t:tcp_socket name_connect;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
require {
|
||||
type ntop_port_t;
|
||||
class tcp_socket { name_bind };
|
||||
}
|
||||
allow grafana_t ntop_port_t:tcp_socket name_bind;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
require {
|
||||
type usr_t;
|
||||
@ -159,14 +142,6 @@ optional_policy(`
|
||||
allow grafana_t autofs_t:dir getattr;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
require {
|
||||
type postfix_local_t;
|
||||
class dir { search };
|
||||
}
|
||||
allow postfix_local_t grafana_var_lib_t:dir search;
|
||||
')
|
||||
|
||||
manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
|
||||
manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
|
||||
|
||||
@ -238,10 +213,6 @@ tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default
|
||||
corenet_tcp_connect_postgresql_port(grafana_t)
|
||||
')
|
||||
|
||||
tunable_policy(`grafana_can_tcp_connect_ldap_port',`
|
||||
corenet_tcp_connect_ldap_port(grafana_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_private_tmp(grafana_tmp_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user